What roles are required for a user to view device provisioning service enrollment groups?

Chris Hibberd 26 Reputation points
2022-05-04T15:49:59.8+00:00

Hi

I am trying to configure IAM settings for our device provisioning services (DPS) so that a group of users has permission to view the resources, including the enrollment groups. I have tried adding Reader role at the resource group scope and Device Provisioning Service Data Reader at the DPS scope, but the users in the group still cannot view the enrollment groups. In the portal, they can view the DPS page, but when they select "Manage Enrollments" an error dialogue is displayed, as shown below. Is anyone able to let me know what permissions I have to add to enable this action?

Thanks,

Chris

198897-image.png

Azure IoT Hub
Azure IoT Hub
An Azure service that enables bidirectional communication between internet of things (IoT) devices and applications.
1,156 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,535 questions
0 comments No comments
{count} votes

Accepted answer
  1. António Sérgio Azevedo 7,666 Reputation points Microsoft Employee
    2022-05-05T14:20:37.103+00:00

    Hello @Chris Hibberd ,

    You should just need to give the Device Provisioning Service Data Reader Role at the Azure IoT DPS Scope. Can you try creating a custom Role and instead of using the wildcard, select all the Microsoft.Devices/provisioningServices read permissions ? See how to create a custom role in the portal here. I would clone the Device Provisioning Service Data Reader and select the permissions needed like described in Permissions for Azure IoT Hub Device Provisioning Service (DPS) APIs:

    199176-image.png

    199293-image.png

    You can use this JSON list to test:

    199237-image.png

    "permissions": [  
                {  
                    "actions": [  
                        "Microsoft.Devices/provisioningServices/Read",  
                        "Microsoft.Devices/provisioningServices/certificates/Read",  
                        "Microsoft.Devices/provisioningServices/operationresults/Read",  
                        "Microsoft.Devices/provisioningServices/skus/Read",  
                        "Microsoft.Devices/provisioningServices/privateEndpointConnectionProxies/Read",  
                        "Microsoft.Devices/provisioningServices/privateEndpointConnectionProxies/operationResults/Read",  
                        "Microsoft.Devices/provisioningServices/privateEndpointConnections/Read",  
                        "Microsoft.Devices/provisioningServices/privateEndpointConnections/operationResults/Read",  
                        "Microsoft.Devices/provisioningServices/privateLinkResources/Read",  
                        "Microsoft.Devices/provisioningServices/diagnosticSettings/read",  
                        "Microsoft.Devices/provisioningServices/logDefinitions/read",  
                        "Microsoft.Devices/provisioningServices/metricDefinitions/read"  
                    ],  
                    "notActions": [],  
                    "dataActions": [  
                        "Microsoft.Devices/provisioningServices/registrationStates/read",  
                        "Microsoft.Devices/provisioningServices/enrollmentGroups/read",  
                        "Microsoft.Devices/provisioningServices/enrollments/read"  
                    ],  
                    "notDataActions": []  
                }  
            ]  
    

    199286-image.png

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful